Infosec bods demo GPU keylogger. Don't tell the NS... oh, wait

Threat relies on in-transit interception of hardware

Security researchers have demonstrated how malicious code can be run on graphics processors (GPUs) rather than the central processing unit (CPUs) at the heart of a computer.

Team Jellyfish's Demon keylogger proof-of-concept code operates in a blind spot that conventional security software is simply not designed to inspect.

The nasty – which runs on AMD and NVIDIA graphics cards – would be capable of capturing keystrokes and passwords before storing them in GPU memory. The associated Jellyfish rootkit is capable of spying on CPU host memory via direct memory access (DMA).

Both strains of the nasty work on Linux systems, but doing something similar on Windows or Mac machines would appear to present few difficulties. Even on Linux machines neither of the nasties are ready for malicious misuse, fortunately. Team Jellyfish said it's working on a proof-of-concept remote access tool (RAT) for Windows computers.

Graphics cards are already widely used for number crunching applications such as password cracking and Bitcoin mining. The possibility that malware authors might be able to hook into this power is bad news, because it could allow the bad guys to more easily run more complex polymorphic and encryption routines, aside from the more general risk of even more stealthy malware.

Other security researchers have previously looked into the issue, most notably via a research paper entitled You Can Type, But You Can’t Hide: A Stealthy GPU-based Keylogger (pdf), published in 2013.

Writing malware for graphics cards offers greater stealth, but also presents practical problems – chiefly how to infect cards in the first place. Pre-installing infected cards is the obvious route here, but would require physical access, something that pushes this sort of malfeasance into the realms of spookdom rather than ordinary criminal enterprises.

"It is easy, in this post-Snowden world, to imagine a scenario where a state-sponsored attacker might have the means and ability to either meddle with the supply chain of a graphics card manufacturer to embed malware, or to poison legitimate hardware as it is en route from a supplier to a particular organisation," writes security veteran Graham Cluley in a post on patch management firm Lumension's blog.

Leaked documents have revealed that the NSA’s Tailored Access Operations (TAO) unit intercepted deliveries of Cisco routers and other technology to implant custom firmware on them prior to delivery. Something similar could be done with tainted graphics cards, according to Cluley.

"If it can be done with routers, it could be done with graphics cards," he concludes. "It wouldn’t be a surprise to find organisations taking a more suspicious look at their graphics cards in the years to come." ®